Is The World Knocking At Your Door, Or Trying To Kick It In? The Multi-Gigabit DDoS Threat

If a miscreant wanted to knock you off the Internet, how could they go about it?

A flood ping is the obvious weapon, or at least it was long ago. Something like this:

 $ ping -f -s 1472 targethost

You can still find references calculating what it would take to saturate a T1 connection with a flood ping. Sorry, but if you only have a 1.5 Mbps connection then you have already done a denial of service against yourself. And only a foolish attacker would do the above as it’s quite obvious where all the ICMP Echo Request packets are coming from.

The trick is to combine reflection and amplification. What are they?

The easiest explanation starts with the antiquated Smurf Attack. A program named smurf.c was released in 1997, versions are widely available. An automated scan of the Internet can find a “Smurf Amplifier” organization, one where a large number of Internet-reachable hosts respond to ICMP Echo Request packets sent to a broadcast IP address, and where the routers forward IP broadcast packets. Both of those characteristics contradict what has been considered best practice for many years now, but there are Smurf Amplifier organizations out there.

The attack code then sends a series of specially crafted packets where the IP layer falsely claims to be from the target host and has a destination of the IP broadcast address at the amplifier site.

 From: Target
 To:   Every host at the amplifier site

Within that is an ICMP message asking “Please echo this large data payload back to me.”

The attacker gets amplification — transmit one packet and trigger thousands, one from each host at the amplifier organization. And also reflection — the targeted victim only sees that the flood of packets came from amplifier organization.

ICMP to broadcast addresses is easily blocked at perimeter routers and operating systems can be configured to ignore these packets through patches or kernel tuning. So an analogous attack based on UDP packets was soon designed, called the Fraggle Attack after the fraggle.c program widely available.

Stateful packet filters at edge routers plus, of course, NAT or Network Address Translation would keep an organization from being a Smurf or Fraggle amplifier, but of course you can always be hammered by traffic from sites that don’t follow best practice.

Also, the bad guy’s ISP should be doing Ingress filtering and egress filtering, collectively called sanity checking. (Cisco calls it Unicast Reverse Path Forwarding.) This examines the source IP address and drops an “insane” packet, one clearly not coming from its claimed source IP address. This would include all those triggering packets claiming to be from the attack target.

The Best Current Practice documents BCP 38 and BCP 84, RFC 2827 and RFC 3704, respectively, urge the use of sanity checking.

Unfortunately, not everyone follows best practice. Attacks can be launched with forged source IP addresses, and large organizations function as amplifying reflectors.

Learning Tree’s System and Network Security Introduction course explains these attacks and the best practice defenses, it’s a good place to start learning about this.

Come back next week as DDoS attacks move into the modern era.

Bob Cromwell

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.